The most popular and comprehensive Open Source ECM platform
Google is a heavy user of Open Source software, hence they are keenly interested in tracking any bugs or vulnerabilities that might get introduced into Open Source code as updates to code in OS projects are made.
Google created a tool called Open Source Vulnerabilities (OSV) which they launched in February. It uses a database of Open Source code updates and can be queried to help determine exactly which code changes introduced problems into the OS project.
OSV makes querying for open source project vulnerabilities easier and more accurate. It also makes it easier to be able to gather information to include for publishing information about vulnerabilities.
Google Security Team members explained in a blog that “OSV aims to simplify the vulnerability reporting process for an open source package maintainer by accurately determining the list of affected versions and commits. This requires providing both the commits that introduce and fix the bugs. If that information is not available, OSV requires providing a reproduction test case and steps to generate an application build, and then it performs bisection to find these commits in an automated fashion. OSV takes care of the rest of the analysis to figure out impacted commit ranges (accounting for cherry picks) and versions/tags.”